Equifax slapped with UK’s maximum penalty over 2017 data breach

Credit rating giant Equifax has been issued with the maximum possible penalty by the UK’s data protection agency for last year’s massive data breach.

Albeit, the fine is only £500,000 because the loss of customer data occurred when the UK’s prior privacy regime was in force — rather than the tough new data protection law, brought in via the EU’s GDPR, which allows for maximum penalties of as much as 4% of a company’s global turnover for the most serious data failures.

So, again, Equifax has managed to dodge worse consequences over the 2017 breach, despite the hack resulting from its own internal process failings after it failed to patch a server that was known to be vulnerable for months — thereby giving hackers a soft-spot to attack and swipe data on 147 million consumers.

Personal information that was lost or compromised in the 2017 Equifax breach included names and dates of birth, addresses, passwords, driving licence and financial details.

The UK data protection regulator is involved because up to 15 million UK citizens’ data was also breached in the attack. And while the hack compromised Equifax’s US systems, the UK citizens’ data was being processed in the US.

The UK’s Information Commissioner’s Office (ICO) said today that the UK arm of Equifax failed to take adequate steps to ensure its US parents was protecting this data.

Reporting the result of its investigation, the ICO said Equifax contravened five out of eight data protection principles of the Data Protection Act 1998 — including, failure to secure personal data; poor retention practices; and lack of legal basis for international transfers of UK citizens’ data.

“Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law,” said information commissioner Elizabeth Denham in a statement. “We are determined to look after UK citizens’ information wherever it is held.”

“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce. This is compounded when the company is a global firm whose business relies on personal data,” she added.

The ICO says it found that measures that should have been in place to manage personal information were “inadequate and ineffective”, and there were also “significant problems” with data retention, IT system patching, and audit procedures.

It flags the fact that the US Department of Homeland Security had warned Equifax Inc about a critical vulnerability as far back as March 2017, noting that “sufficient steps to address the vulnerability were not taken meaning a consumer facing portal was not appropriately patched”.

“Many of the people affected would not have been aware the company held their data; learning about the cyber attack would have been unexpected and is likely to have caused particular distress,” added Denham, emphasizing the reasons for the ICO to issue the maximum possible penalty for the breach.

The ICO also recently issued Facebook with the same level of fine for allowing user data on up to 87 million Facebook users to be scraped by a third party app which used it to try to build voter targeting models, selling this as a service to a political consultancy involved in US elections.

“Multinational data companies like Equifax must understand what personal data they hold and take robust steps to protect it,” she continued. “Their boards need to ensure that internal controls and systems work effectively to meet legal requirements and customers’ expectations. Equifax Ltd showed a serious disregard for their customers and the personal information entrusted to them, and that led to today’s fine.”

Equifax has responded with disappointment to the ICO’s decision. In a statement responding to the ICO’s ruling, a company spokesperson said: “We have received the Monetary Penalty Notice from the Information Commissioner’s Office (ICO) on Wednesday afternoon and are considering the detailed points made. Equifax has cooperated fully with the ICO throughout its investigation, and we are disappointed in the findings and the penalty.

“As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect. The criminal cyberattack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk.

“Data security and combatting criminal digital activity is an ongoing battle for all organisations that requires continued innovation and attention. We have acted and continue to act to make things right for consumers. They will always be our priority.”

The company points to a number of changes it says it has made in response to the incident to strengthen its policies and processes, and also highlights ongoing investments in infrastructure and corporate governance procedures, including hiring additional IT staff, which are intended to improve the resilience of its systems to hack attacks.

However it does concede that the breach itself was the result of internal process failings, given that a file containing historical consumer information which should have been deleted was not.

And the key point here is that the ICO’s decision is based on scrutinising exactly what happened that led to the breach occurring.

How a company has acted since a security crisis will be taken into consideration, as part of the overall picture, but having shut the barn door after the horse has bolted is only going to get so much credit vs the reasons for the barn door not being properly secured in the first place. And that’s as it should be given the point of data protection legislation is to encourage companies to prioritize security, not overlook it.

In the Equifax decision the ICO writes: “The Commissioner has also taken into account her underlying objective in imposing a monetary penalty notice, namely to promote compliance with the DPA [data protection act]. She considers that, given the nature, seriousness and potential consequences of the contravention arising in this case, that objective would not be adequately served by an unduly lenient penalty.”